Securing Windows Server 2008: Installing and turning on BitLocker

Service provider takeaway:This section of the chapter excerpt titled "Microsoft Windows Server 2008: Data Protection" is taken from the book Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization. The chapter excerpt provides a step-by-step approach for installing, configuring and turning on BitLocker.

Download the .pdf of the "Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization" chapter here.

Installing BitLocker on Windows Server 2008

As we already mentioned, BitLocker is a Feature of Windows Server 2008 and is not installed by default. To install BitLocker you use Server Manager as you would with all other roles and features. Be aware that a restart is required after installation. You can also install BitLocker from the command line by typing ServerManagerCmd -install BitLocker --restart.

Here are the steps to follow to install Bitlocker on Windows Server 2008.

1. Log on as an administrator.
2. Click Start | Administrative Tools | Server Manager.
3. Scroll down to Feature Summary; click Add Features.
4. On the Select Features page, choose BitLocker Drive Encryption and then click Next.
5. On the Confirm Installation Selections page, click Install.
6. When installation is complete, click Close.
7. In the Do you want to restart Window click Yes.

Turning on and Configuring BitLocker

After installing the BitLocker Feature on your Server and rebooting the system, you need to turn on BitLocker via a Control Panel applet. Make sure you are logged on as an administrator on the system and you have decided where to store the recovery password. In case your computer does not have a Trusted Platform Module (TPM) or the TPM is not supported, you will receive a warning.

Here are the steps to follow for turning on BitLocker.

1. Log on as an administrator.
2. Click Start, click Control Panel, and then click BitLocker Drive Encryption.
3. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume.
4. On the BitLocker Drive Encryption Platform Check dialog box click Continue with BitLocker Drive Encryption.
5. If your TPM is not initialized already, you will see the Initialize TPM Security Hardware screen.
6. On the Save the recovery password page, click Save the password on a USB drive.
7. On the Save a Recovery Password to a USB Drive box, select your USB drive and click Save.
8. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check checkbox is selected, and then click Continue.
9. Confirm that you want to reboot.

During the reboot phase, BitLocker verifies the system and makes sure it is ready for encryption. After rebooting the system, you should log back on to the system and verify that the Encryption in Progress status bar is displayed in the BitLocker Control Panel applet. In case your system cannot be enabled for BitLocker, an error message pops up during logon.

Turning on Bitlocker for Data Volumes

Now we'll show you how to turn on BitLocker for data volumes.

1. Log on as an administrator.
2. Click Start, click All Programs, click Accessories, and then click Command Prompt.
3. At the command prompt type manage-bde --on : -rp --rk F:. This will encrypt the named volume, generate a recovery password, and store a recovery key on drive F: (which is the USB drive, in this example). Don't forget to record the recovery password!
4. At the command prompt type manage-bde --autounlock --enable
: to enable automatic unlocking of the volume. The key to automatically unlock the volume on each restart is stored on the operating system volume, which must be fully encrypted before this command is issued.

Configuring BitLocker for TPM-Less Operation

The following steps configure your computer's Group Policy settings to turn on BitLocker on systems without a TPM.

1. Logon as an administrator.
2. Click Start, click Run, type gpedit.msc in the open box, and then click OK.
3. In the Local Group Policy Editor console tree, click Local Computer Policy, click Administrative Templates, click Windows Components, and then click BitLocker Drive Encryption.
4. Double-click the setting Control Panel Setup: Enable Advanced Startup Options.
5. Select the Enabled option, select the Allow BitLocker without a compatible TPM check box, and then click OK.

Turning on BitLocker on Systems without a TPM

Turning on BitLocker on systems without a TPM is similar to the normal activation process. Make sure you have a USB flash drive available to store the startup key.

1. Log on as an administrator.
2. Click Start, click Control Panel, and then click BitLocker Drive Encryption.
3. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume.
4. On the BitLocker Drive Encryption Platform Check dialog box click Continue with BitLocker Drive Encryption.
5. On the Set BitLocker startup preferences page select Require Startup USB key at every startup.
6. On the Save your Startup Key page select your USB drive from the list and click Next.
7. On the Save the recovery password page, click Save the password on a USB drive.
8. On the Save a Recovery Password to a USB Drive Box, select your USB drive and click Save.
9. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check checkbox is selected, and then click Continue.
10. Confirm that you want to reboot.

About the book
"Securing Windows Server 2008: Prevent Attack from Outside and Inside Your Organization" will teach you how to configure Windows Server 2008 to secure your network, how to use Windows Server 2008 hand-in-hand with Active Directory and Vista and how to understand Server Core. This book also focuses on public key infrastructure management, virtualization, terminal services, Active Directory Domain security changes and certificate management.

Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "Securing Windows Server 2008" by Aaron Tiensivu. For more information about this title and other similar books, please visit Elsevier.

Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization
  Securing Windows Server 2008: BitLocker data protection basics
  Securing Windows Server 2008: BitLocker authentication and configuration
  Securing Windows Server 2008: Installing and turning on BitLocker
  Securing Windows Server 2008: BitLocker information storage and administration